User accounts may be created to control access to applications. A user name and a password may be assigned to a person or business partner who works with an application. User roles may be assigned to accounts, and determine types of access that users are allowed when using the application. For example, a group of users may be defined, where a user from the group may view an application's content and make changes to that content. Such a group of users may be assigned to the role “Author”. An application's administrator can modify access rights for defined roles or create new roles.
The object instances associated with the application may be associated with different authorization rights for different users. The object instances may be defined based on a data model, including a definition of attributes for the objects. Object instances may be organized in a hierarchical manner according to hierarchy criteria, such as location, time, etc. When users log in an application, they provide their user names and passwords to start an authentication process. Authenticated users may perform actions and/or operations on object instances associated with the application. User may be part of different user groups having different roles. Authenticated users group include users whose identities were authenticated when they logged in the application.